I used the simpler 3.22.6-0ubuntu1 version number since 3.22 is yakkety only (and does not conflict with zesty). Similar for xenial with 3.18.
** Description changed: Impact ====== Saved passwords are accessible by HTTP sites in epiphany 3.18.10-0ubuntu1 for Ubuntu 16.04 LTS, 3.22.5-0ubuntu0.1 for 16.10 and older versions. This means that a man-in-the-middle fake version of a website could capture your password by presenting say a fake http://facebook.com/ This is made worse because Javascript can be used to collect filled-in form data even if the user has not clicked Submit yet. This is made worse because Epiphany doesn't yet respect the HSTS headers which force sites that have opted in to be only available via HTTPS. Test Case ========= + osnews.com is an example of an http-only website that you can log in to. + What will happen upon upgrading is that your http password will only be associated with the https version of the site. + + To get your old password, open the app menu at the top left of the + screen. Click Preferences. Switch to the Privacy tab and click Manage + Passwords. You can right click on the site to copy your password and + then manually paste it into your site. Regression Potential ==================== - Low. The fix is to move all already saved passwords to be associated with https. Users will need to enter this password in again if the site is HTTP only. This is disruptive if the only place the user has saved the password is in Epiphany. Websites should allow password reset. However, both Firefox and Chrome as of January 2017 warn users before entering passwords for http sites. Epiphany 3.24 will add that warning in its March 2017 release. + Moderate but acceptable. The fix for the security bug means that users will have to do more work to get their saved password for an http only website. + + Epiphany 3.24 (only available for Ubuntu 17.04+) gives a prominent + warning about logging in to http websites, as do Firefox and Google + Chrome as of January 2017. So a bit more work is acceptable since users + should now be more cautious about logging into http sites. + + Other distros shipped these new versions weeks ago. + + Testing Done + ============ + I built these updates and successfully ran them in Ubuntu 16.04 LTS and 16.10. I verified that my osnews.com account was converted to https in the password manager and was not auto-filled in the site. I then was able to manually enter my password to osnews.com and the password was now remembered as http. Other Info ========== Fixed upstream in 3.18.11 and 3.22.6: https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-18 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-18 https://git.gnome.org/browse/epiphany/tree/NEWS?h=gnome-3-22 https://git.gnome.org/browse/epiphany/log/?h=gnome-3-22 https://mail.gnome.org/archives/distributor- list/2017-February/msg00000.html + + Unfortunately the fix is spread out over several git commits. The new + upstream release is minimal enough I think it would be easier and safer + to just take the new version. The new version also fixes the critical + LP: #1668704 for xenial and a bug breaking twitter for yakkety (see + https://bugzilla.gnome.org/777714 ) ** Changed in: epiphany-browser (Ubuntu) Status: Incomplete => New ** Changed in: epiphany-browser (Ubuntu Xenial) Status: Incomplete => New ** Changed in: epiphany-browser (Ubuntu Yakkety) Status: Incomplete => New ** Tags added: xenial yakkety ** Patch added: "epiphany-lp1661805-yakkety.debdiff" https://bugs.launchpad.net/ubuntu/+source/epiphany-browser/+bug/1661805/+attachment/4840678/+files/epiphany-lp1661805-yakkety.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1661805 Title: Saved passwords for HTTPS sites can be accessed by HTTP sites To manage notifications about this bug go to: https://bugs.launchpad.net/epiphany-browser/+bug/1661805/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
